diff --git a/pub/api/v1/permissions/index.php b/pub/api/v1/permissions/index.php index 27c9de8..e0a31e4 100644 --- a/pub/api/v1/permissions/index.php +++ b/pub/api/v1/permissions/index.php @@ -47,8 +47,10 @@ if ($API_permissions->request_method === 'GET') { } elseif ($API_permissions->request_method === 'PUT') { - # Update the permission name and description - $API_permissions->checkPermissions('admin-access-control-permissions', 'RW'); + # Only superuser can delete permission due to fact that the backend needs programming when setting a permission + if (!$API_permissions->isSuperuser()) { + $API_permissions->apiOutput(401, ['error' => 'You are not authorized to access this resource.']); + } $requiredFields = [ 'permission_uuid' => ['type' => 'uuid'], diff --git a/pub/bin/pages/portal-management/pageAccessControl_permission_edit.php b/pub/bin/pages/portal-management/pageAccessControl_permission_edit.php index c00c13f..1c0a09d 100644 --- a/pub/bin/pages/portal-management/pageAccessControl_permission_edit.php +++ b/pub/bin/pages/portal-management/pageAccessControl_permission_edit.php @@ -18,7 +18,8 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_permissions.php'; # Check permissions $API = new API(); -if (!$API->checkPermissions('admin-access-control-permissions', 'RW', true)) { +# Only superuser can delete permission due to fact that the backend needs programming when setting a permission +if (!$API->isSuperuser()) { echo 'error 401 unauthorized'; exit; } diff --git a/pub/bin/pages/portal-management/pageAccessControl_view.php b/pub/bin/pages/portal-management/pageAccessControl_view.php index 7ecd59f..ddeedad 100644 --- a/pub/bin/pages/portal-management/pageAccessControl_view.php +++ b/pub/bin/pages/portal-management/pageAccessControl_view.php @@ -201,7 +201,7 @@ while ($row = $stmt->fetch_assoc()) {